Learn more about the applications permissions and Mergify's security obsession.
At Mergify, security is of utmost importance to us. We understand the crucial role we play in the software development process and are fully committed to earning and maintaining the trust of our users. Our Security page is dedicated to providing transparency regarding our security measures and practices. We continually strive to improve the safety and reliability of our platform, ensuring that your repositories and code are well-protected.
Our Trust Report is designed to provide transparency and instill confidence in our customers. By sharing our compliance reports and offering insights into our security practices, we aim to demonstrate our unwavering dedication to safeguarding your valuable information.
We invite you to explore this documentation and learn more about how we prioritize your trust. Click the button above to access our Trust Report page, where you will find in-depth information on our security measures and our ongoing commitment to protecting your data.
Mergify hosts a public Bug Bounty program with HackerOne. If you’re an independent security expert or researcher and believe you’ve discovered a security-related issue on our platform, we appreciate you disclosing the issue to us responsibly, and thank you for your time and expertise.
At Mergify, we prioritize the security of our platform and the safety of our users. If you have any security-related questions, concerns, please reach out directly to our dedicated security team at firstname.lastname@example.org.
We appreciate your collaboration in ensuring the security of Mergify and its community. Rest assured, all communications related to security matters will be treated with the highest priority and confidentiality.
Below is the list of the required permission on GitHub for Mergify to function properly.
|Repository: Actions||Read-only||Used to read workflow details.|
|Repository: Administration||Read-only||Used to access team details.|
|Repository: Checks||Read and write||Used to read and post checks.|
|Repository: Commit statuses||Read-only||Used to read checks status.|
|Repository: Contents||Read and write||Used to read repository content and write (merge).|
|Repository: Issues||Read and write||Used to close issues on merge.|
|Repository: Metadata||Read-only||Access repository metadata.|
|Repository: Pages||Read and write||Write required to trigger page workflow on merge.|
|Repository: Pull requests||Read and write||Used to read and edit pull requests.|
|Repository: Workflows||Read and write||Used to read workflows and merge pull requests modifying workflows.|
|Organization: Members||Read-only||Used to list organization members.|
|Account: Email addresses||Read-only||Used to read user email addresses.|
To perform any actions on Mergify, such as adding a pull request in a merge queue or triggering a command, a person must have sufficient access to the relevant account or resource. This access is controlled by permissions. A permission is the ability to perform a specific action. A role is a set of permissions you can assign to individuals or teams.
Mergify users inherit their roles directly from GitHub roles.
That means that a user that has the
Read role for a repository in GitHub will
also inherit this role in Mergify.
|View the merge queues|
|Freeze a merge queue|
|Unfreeze a merge queue|
|Pause merge queues|
|Manage API keys|
|Manage Mergify subscription|
Non-admin users might be able to manage permissions on demand. Contact our support to request a non-admin to get access to Mergify subscription and billing details.